How Does the Cyber Mercenary Business Work?
The Cyber Mercenary Business is Surging, Unfortunately
Reuters wrote a report on the booming business of Cyber mercenaries which we found particularly interesting and thought it was well worth sharing. The report discusses in detail, various cyber mercenary hacks which have been increasing dramatically and most targeted against US-based victims. Let’s start out with a clean definition of a Cyber mercenary to get started. Mercenaries have historically been experienced military soldiers with their main objective being to meet the mission given by the client who has contracted them. Think about a country hiring and paying soldiers outside of their country to help fight a war or conflict as one example. Or if you’ve seen The Expendables movie series you know exactly what we mean by mercenaries.
A warning over cyber mercenaries can be found way back in 2013 in a warning by Britain’s Intelligence and Security Committee, a watchdog body of senior lawmakers that oversees Britain’s spy agencies. The report described the cyber mercenary as “skilled cyber professionals undertaking attacks on diverse targets such as financial institutions and energy companies.” In its 2021 report by the Working Group (WG) on the evolving forms, trends, and manifestations of mercenaries, the WG identified ‘cybermercenaries’ as a contemporary category of actors engaged in mercenary-related activities.
Last year, private, non-state mercenary-style surveillance and hacking groups used Facebook and Instagram to target 50,000 people in over 100 countries, according to a published investigation by Meta, Facebook’s parent company. “Cyber mercenaries often claim their services and their surveillanceware are meant to focus on tracking criminals and terrorists,” said Nathaniel Gleicher, head of security policy at Facebook. “But our investigation and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is in fact indiscriminate.”
Cyber Mercenary Attack Tactics
The Indian company BellTroX has been active for at least seven years in the surveillance industry. Facebook removed 400 accounts associated with the firm that investigators said were used to pose as politicians and journalists and to stage phishing attacks against victims including doctors, lawyers, activists, and members of the clergy in Angola, Argentina, Saudi Arabia, and Iceland.
The Reuters report revealed several Indian companies in the private sector that have been involved in using cyber espionage tactics against entities involved in litigation in an effort to influence their outcomes. Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails. The Facebook messages were often masked as communications from clients, colleagues, friends, or family. Hackers would steal log-in credentials and then search and leverage privileged legal documents to sway the case in their client’s favor.
Organizations hired a single hacker to start, however, the hacker-for-hire situation, grew quickly into an organized commercial enterprise, when he recruited and groomed a small group of fellow Indian co-workers to be hired by private investigators employed by clients involved in lawsuits. The reporting focused on three particular companies (BellTroX, CyberRoot, and Appin), although there are perhaps quite a few more cyber mercenary groups whose customers are both large corporations and wealthy individuals who have a score to settle or simply want to influence a decision by any means necessary.
Cyber Mercenary Business Models
The Reuters reporting centered on the Indian companies we referenced previously, in addition, the report and frankly, we at SecureOps are seeing more and more activity from “cyber mercenaries.” Reuters discussed gray hat cybersecurity-related organizations that advertise their services using IT security like digital forensics, pen testing, information security research, or auditing. According to Microsoft, cyber mercenaries employ two types of business models:
- An Access-For-Hire model where the group sells end-to-end hacking tools to the customer who conducts their operations independent of the group’s help. We wrote a blog post on Ransomware-as-a-Service (RaaS) previously that touched on the growing availability of Ransomware as criminal groups essentially “rent out” easy-to-distribute malware for willing buyers.
- A For-Hire model where the customer provides targeting information, and the group does the criminal work from start to finish. In addition to the organizations, we discussed that were involved in litigation, many of the targets of cyber mercenaries have included politicians, human rights proponents, journalists, and political activists.
The second group of cyber mercenaries is found globally, though recent reports have focused on those based in Austria, China, India, Russia, and the United Arab Emirates. Google’s Threat Analysis Group (TAG) on said recently it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. “The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients,” Shane Huntley, director of Google TAG, said in a report.
Emerging Cyber Mercenary Threat Actors
A recent campaign mounted by an Indian hack-for-hire operator is said to have targeted an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans, and a shopping company in Israel, indicating the breadth of victims. The criminal organization, which Google TAG said it’s been tracking since 2012, has been linked to a variety of phishing attacks geared to steal login credentials associated with government agencies, Amazon Web Services (AWS), and Gmail accounts.
The campaign involves sending spear-phishing emails containing a malicious link that, when clicked, launches a fake page designed to steal credentials entered by unsuspecting users. Victims in most of the cases investigated by Google included government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain.
Google TAG attributed the Indian hack-for-hire actors to a firm called Rebsec, which, according to its dormant Twitter account, is short for “Rebellion Securities” and is based in the city of Amritsar. The company’s website is currently down for “maintenance,” advertised “corporate espionage services.”
A similar set of phishing attacks targeting journalists, European politicians, and non-profits has been linked to a Russian actor dubbed Void Balaur, a cyber mercenary group that was first seen late last year.
Cyberint wrote an excellent article on likely the newest significant cyber mercenary criminal group dubbed Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army. The article says, “Over the past months we have seen many new threat groups emerging, some from the ransomware sector, some data leakers, and some from the malware development sector, but all of them use pretty much the same advertising and team assembling techniques,” the researchers wrote. “In Atlas’ case … it seems that the cybercrime industry is being introduced to a sophisticated, highly anonymous, ambitious, purely logical and nonchalant threat actor who is looking to leave his mark and establish a dominant threat group in the future.”
Atlas Intelligence Group is pushing the envelope concerning hacking groups or groups under the cyber mercenary label. While many groups focus on offering one, or maybe two services, Atlas a variety of services and does so while making it easy for clients to use its services. Check out the image below; it doesn’t get much easier than clicking a button for the type of cybercrime you want them to commit on your behalf.
Access to an organization’s servers often starts at around $1,000. Atlas offers easy communication through an encrypted telegram channel for its customers. Transactions are quick and easy using Bitcoin with no names or e-mail addresses exchanged.
As the group grows, it seems that the cybercrime industry is being introduced to a sophisticated, highly anonymous, ambitious, cyber-criminal gang that not only has the ability to hack organizations with a variety of different signature hacks, but also one that is driven by the dollar in a way that other organizations aren’t…at least not yet.
To Learn More About How to Protect Yourself from Cyber Mercenary Attacks Please Call Us – as Always We Are Happy to Help – 1 (888) 982-0678